[Snort-users] Re: [tcpdump-workers] Unknow packet

Guy Harris guy at ...4602...
Wed Jan 16 14:44:06 EST 2002

> I have been experimenting with writing a sniffer in Perl.  While testing the
> script I received the packet below.  The ScrMac is of my layer3 switch and I
> do not know the DestMAC.  This has me worried.

It's a Cisco Discovery Protocol packet, and the destination MAC is a
multicast MAC rather than a unicast MAC (CDP packets are multicast), so
it won't be the MAC address of *any* of the machines on your network (or
of any machine anywhere on the planet).

> I have tried Analyzer,
> Ethereal, Optimal, and Tcpdump but they drop the packet for some reason
> (this is an assumption; I never see the packet in their output).

There is no reason why Ethereal or tcpdump would drop that packet,
unless they were run with a capture filter that would exclude CDP
packets.  Perhaps the packet gets lost somewhere else, but if your
sniffer is using libpcap/WinPcap, it gets the same stuff that Analyzer,
Ethereal, and tcpdump/WinDump would get when run on the same machine, if
you capture on the same interface using the same packet filter.

More information about the Snort-users mailing list